When Corcentric first contracted with Schellman & Company, the agreement was for an initial SOC 1 Readiness Assessment for the COR360 AP Automation Solution that provides Corcentric’s clients with solutions for faster invoice processing. Though that was seven years ago back in 2014, the partnership between assessor and organization has flourished despite major upheaval over the years spent working together—upheaval that has included an entirely new internal compliance team at Corcentric, as well as the many different, new assessments necessary to accommodate the company’s ongoing acquisitions and organic growth.
Though maintaining compliance can be a challenge all in itself, attempting such while also merging two companies and the relevant applications makes it all the more complicated. Altogether, it's a challenging process that requires juggling the original compliance commitments and the attached auditors while also investigating those same particulars of the organization being acquired—all of which must happen before then trying to blend the processes for efficiency purposes. Not an easy task, but one that Corcentric continues to streamline, having already come a long way.
Back in 2014, when the organization first engaged Schellman & Company for their first ever compliance exam, Corcentric contracted the auditors for the aforementioned initial SOC 1 readiness assessment of their COR360 product before proceeding through other SOC examinations over the next several years. At the time, Corcentric was completely unfamiliar with these processes, as they had not yet established an internal information security team, and so Schellman took the lead in guiding the supply management solutions provider on the journey to compliance—both for their legacy applications and those that would be acquired over time. It was a lot of trust to place in a third party, but Schellman operated in good faith from the beginning. “We had a lot of good discussions over those initial years that led to interesting questions from them across the board, but our goal throughout was the same,” says Scott Zelko, Principal at Schellman. “We always wanted to provide them with the information and options to make the best choice for them, which I think created a lot of trust and eased some of the new challenges as they’ve come up.”
"We always wanted to provide them with the information and options to make the best choice for them, which I think created a lot of trust and eased some of the new challenges as they’ve come up."
Scott Zelko | Schellman | Principal
The first of those bigger challenges arose in 2018, when Corcentric began acquiring different service providers, thus requiring the scoping of additional compliance services to accommodate Corcentric’s new responsibilities. Continuing the partnership, Schellman performed those assessments and remained the primary audit provider on information security topics at Corcentric until the hiring of Daniel Gottovi as Vice President of Information Security and Compliance in 2019—the company’s first internal commissioning of dedicated compliance personnel.
Now entrusted with building an entire program for Corcentric, Gottovi had to hit the ground running since the organization was moving again towards another acquisition—this time of Determine, another software solution provider who, coincidentally, also had previously engaged Schellman for compliance services. Adding to Corcentric’s accrued compliance portfolio, Determine was contracted for three SOC 2 reports and a HIPAA attestation, all of which were also brought under the Corcentric umbrella with Schellman and recurred again in 2020. Though that acquisition represented more new territory for Corcentric, as the long-term auditors for the company, Schellman were comfortable in their methodology and approach to these tailored situations for their client.
“Over the years, it’s always started with listening to their description of each acquisition and then asking questions, since not all acquisitions are the same in the way they are handled or what they bring with them,” explains Zelko. “The key question that we always look to understand prior to providing feedback is how is the acquisition going to be integrated? Sometimes, they are merged into existing services or offerings, but other times, they will continue to operate as a standalone service, or even replace an existing service. Knowing those particulars, along with the timing of the planned integration, can give us a good picture of the impact on the compliance issues for both sides.”
With any acquisition, there are lots of moving parts—even just those related to compliance—but as they had in the past, Schellman worked to help Corcentric identify and deal with potential compliance challenges surrounding the procurement of Determine, all while simultaneously getting the company’s new leader of information security up to speed. “I was still learning a lot about the company and the applications at the time, and so Schellman was great, because they helped me through that process,” says Gottovi. “I consider myself lucky because Schellman was already involved when I came on.”
"Whenever our clients approach an acquisition and come to us with questions, we’re always confident that we can help. Even if there are new compliance complications to tackle, the breadth of our collective experience both as individuals and a firm helps us find at least a little something to leverage in our search for each new, tailored solution for our clients."
Jay Imszennik | Schellman | Senior Manager
It was actually contacts at Determine that had connected Corcentric with their new head of information security in the first place, so when it came time for the merging, that familiarity helped as well. “The Determine acquisition was actually very easy because I knew that I was coming into a position with people that I had worked with before—that I could trust—so that helped. Though I hadn’t yet worked with Schellman, Determine had for their SOC 2 examinations and a HIPAA. They only said great things, and so I trusted that those attestations were well-handled,” explains Gottovi. Still, he learned quickly of the other resources at his disposal and put them to good use.
“This whole process was new to me. Luckily, the Corcentric 360 platform had been through a SOC 1 already, and there were people around who had supported that effort, so I had some names and a framework to build around. Having that history there to review so I could ensure we were providing what was necessary for the current examinations was critical.”
Throughout these endeavors, Schellman remained a steadfast advisor, unfazed in the face of new challenges. “Whenever our clients approach an acquisition and come to us with questions, we’re always confident that we can help. Even if there are new compliance complications to tackle, the breadth of our collective experience both as individuals and a firm helps us find at least a little something to leverage in our search for each new, tailored solution for our clients,” says Jay Imszennik, Senior Manager at Schellman.
Not only that, but Schellman’s management application, AuditSource®, also proved very useful for Corcentric’s needs. “It was a gamechanger,” declares Gottovi. “Having previously operated through SharePoint for these things, AuditSource® made managing the process so much easier—I could track the flow of things, like what’s been submitted and what’s past due. Rather than having to shoot emails all over the place, it was a much smoother process to just handle all queries within that platform.”
"Having previously operated through SharePoint for these things, AuditSource® made managing the process so much easier—I could track the flow of things, like what’s been submitted and what’s past due. Rather than having to shoot emails all over the place, it was a much smoother process to just handle all queries within that platform."
Daniel Gottovi | Corcentric | Vice President of Information Security & Compliance
Of course, the results of the last two years since Gottovi’s hire speak for themselves. Corcentric remains on track for its internal SOC 1 examinations that originated the relationship with Schellman, as well as the three additional SOC 2 reviews integrated for Determine and a HIPAA attestation that was added for Corcentric in 2020. The hard work done by organization and assessor to achieve successful attestations served as a nice boon for Gottovi and his burgeoning audit program, as well as to CorcenAtric’s customer base. “Regarding supplier change management and risk auditing, being able to provide some level of assurance to your customers, since you are part of their supply chain, having a third-party review of your application—it helps so much,” says Gottovi. “Yes, you could very easily just believe me when I say we’re doing things the right way, but of course, I can’t just send over comprehensive, confidential internal data to actually prove that it’s true. So having a third-party review to point to helps assure that your clients that you are, in fact, a good steward to be trusted with their data.”
Between all the attestations, Gottovi continues to build up his internal program and shore up the organization’s overall approach to information security—with Schellman’s help and coordination, he has been able to migrate features of Determine’s well-established audit review program to Corcentric so as to forge his own cadence, including creating an improved, company-wide awareness of security. Still, he company continues to evolve, and Gottovi remains charged with managing the growing tree of compliance reviews that every new acquisition brings with it. “There’s another company we are merging in with an ISO certification, as well as another that right now is operating as a wholly owned subsidiary—they have their own program,” explains Gottovi. “Those guys have been doing SOC 2 attestations and self-assessing for PCI—down the road, we will consider how we will pull that in, and perhaps go with a more formal PCI review. As we continue to merge and mesh together all of these applications, we will continue to evolve with Schellman as we go forward and approach that.”
"Schellman are so honest about everything. From the very beginning of the engagements, they make everyone understand what’s needed—both from us and from them—and they communicate clear timelines for those things as well so we can plan ahead. They’re always helping us make sure we are doing the right things. It’s been a great experience working with them."
Daniel Gottovi | Corcentric | Vice President of Information Security & Compliance
Yes, while SOC 1 and SOC 2 remain solid focus areas for Corcentric’s compliance needs, Gottovi is convinced that any necessary branching out to other certifications will also take place in collaboration with their established assessor of many years. “In working with Schellman, they are extremely clear about identifying the control sets. I’m getting so much more familiar with SOC thanks to these guys, and having them help out in terms of getting everyone at Corcentric involved to understand what these examinations mean, what they are defining—it ensures that this whole process yields what we need to support our applications and our customers who rely on them,” says Gottovi. “Schellman are so honest about everything. From the very beginning of the engagements, they make everyone understand what’s needed—both from us and from them—and they communicate clear timelines for those things as well so we can plan ahead. They’re always helping us make sure we are doing the right things. It’s been a great experience working with them.”
And though the discussions between the organizations regarding a future roadmap to compliance remain ongoing, the challenges are already clear, including making sure that the necessary controls are maintained as applications are merged together while also ensuring that legacy customers attached to each platform are supported. Nevertheless, “things are coming together,” confesses Gottovi. “We’ve got another person on the team now, and are considering adding another position to focus on this audit area and make sure we’ve got things running smoothly. We’ve got this whole program now, and there are a lot of things that we can look at to improve, from our policy to our business continuity planning and more—lots to do.”